Silly Apache Question...
Kevin
plug-discuss at firstpacket.com
Thu May 4 14:33:20 MST 2006
On 5/4/06 2:11 PM, "Zeddy" <zeddicius at falldowngoboom.org> wrote:
> How can you tell what apache is doing.... i'm having something happen every
> night at like 3am....
Do you see anything interesting in your access.log about that time?
> USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
> popuser 57198 11.3 0.0 0 0 ?? Z 3:29AM 0:00.00 (perl5.8.4)
That is strange looking output for PID 57198. What is that?
> killing and restarting apache fixes it... but... it kills everything.... cus
> it's beating on the server....
>
> is there anything like top that would show what site is doing this...
Take the child PID for the runaway httpd process and run it through `lsof`
to see what file descriptors it has open. You might also use a sniffer like
ethereal (or even just tcpdump) to capture the inbound traffic around that
time.
I would also look for any unusual shell processes around that time, in case
someone has found an exploit to drop a shell (again a sniffer would be most
handy here). For that matter I would examine ANY processes that started
after the spike (3:29am in this case).
...Kevin
More information about the PLUG-discuss
mailing list